[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A couple of questions and concerns about Emacs network security
From: |
Jimmy Yuen Ho Wong |
Subject: |
Re: A couple of questions and concerns about Emacs network security |
Date: |
Thu, 5 Jul 2018 14:50:10 +0100 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.0 |
I'm currently doing a second pass for my patch for bug#31946. I also
have a preliminary OCSP patch. Emacs network security is going to be a
lot better soon, I promise. Meanwhile, GnuTLS doesn't seem to have
support Certificate Transparency (gnutls#232), but you could export the
extension as DER bytes, so feel free to figure out how to deal with that
in elisp.
On 05/07/2018 14:33, Perry E. Metzger wrote:
> Old thread, but I thought I'd reply on it.
>
> On Sat, 23 Jun 2018 12:23:31 +0200 Lars Ingebrigtsen <address@hidden>
> wrote:
>> For those who don't know what this is: Some browsers now ship with
>> built-in lists of certificate hashes, so if you're visiting that
>> site and presented with a different than expected certificate,
>> you'll know that somebody else has issued a certificate for the
>> site, and somebody has hijacked the connection.
>>
>> Or, perhaps, that they just lost the private key and had to
>> generate a new certificate and now, oops, everybody that uses the
>> browsers with the built-in list will be unable to visit the site.
> What you depict there never happens. People don't lose keys in such
> circumstances.
>
> Pinning is what is done by sites like gmail to prevent third world
> dictatorships from using stolen certificate credentials to spy on
> their citizens. People who have been victims of this have had their
> email read, been arrested by state security forces for dissent, and
> have been tortured to death for lack of certificate pinning working
> in their browsers.
>
> This is a matter of life and death for many people.
>
>> do this via ELPA, I think. Whether it's worth doing is another
>> issue; I think the jury is still out on that one...
> Do you think it's worth keeping people from quite literally being
> tortured to death?
>
> For most of the secure HTTP stuff we've been discussing, I would far
> rather be inconvenienced here and there than know my slight extra
> convenience was being paid for in human blood.
>
> Perry
- Re: A couple of questions and concerns about Emacs network security, (continued)
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Perry E. Metzger, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Paul Eggert, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Richard Stallman, 2018/07/07
Re: A couple of questions and concerns about Emacs network security,
Jimmy Yuen Ho Wong <=
Re: A couple of questions and concerns about Emacs network security, Richard Stallman, 2018/07/05
Re: A couple of questions and concerns about Emacs network security, Perry E. Metzger, 2018/07/05
Re: A couple of questions and concerns about Emacs network security, Perry E. Metzger, 2018/07/05